Archive for the ‘Uncategorized’ Category

Recently, Sophos like to mark attendance at a trade show by running a geeky puzzle competition and they’ve just done one for blackhat, which I actually managed to finish.

A hackable crossword puzzle

The puzzle started with a fairly straightforward crossword. Now, I’m terrible at crosswords, but fortunately this crossword had an answer checking function in its Javascript source code which contained hashes of the answers, using its own simple hashing function:

Porting this into PHP (my default scripting language) and using /usr/share/dict/words, it was pretty simple to solve a good number of the questions automatically. The hashing algorithm was prone to a lot of collisions, but narrowing down the possible words by length helped. I checked this worked properly against an easy clue: “How information starts its life”, which of course is “data”.

This technique gave me a nice spread of completed words across the board:

Decrement RCX and branch if not zero.: loop

The moves a pentester makes once he’s in.: lateral

Autonomous software (but not quite a virus).: agent

It’s not a lens, but it’s focused on you anyway.: prism

Vulnerabilities that really work.: exploits

How information starts its life.: data

On the Mac, it’s Option E.: acute

Where you set up the base pointer.: prolog

The guy who’ll win in the Apple-Samsung case.: attorney

What amateur cryptograms are always claimed to be.: airtight

Apple couldn’t bring themselves to call it Wi-Fi.: airport

Whitfield Diffie helped you share it.: secret

What the BlackHat trade show staff are really after.: leads

Then spotting a few more easy ones: “You’ll read it if you want to win the prize. [5,8]” is of course “Naked Security“, “What you do to your code when you’re in a hurry.” I got worryingly quickly: “Hack at it”. A few more required some googling: “He decrypted Hittite” is Hrozny. Curiously the last clue to get was “Why you are doing this puzzle”. “it’s fun” and “I’m bored” didn’t fit in, but I had enough letters that I could come up with possible combinations of words based on the words list and grep. You can do this with any crossword e.g. the first word “_H_E_” can be found with:

grep -i "^.h.e.$" /usr/share/dict/words

and the last word with

grep -i "^.r.n.e.$" /usr/share/dict/words

Despite the middle letter being “d” and “three” coming up in the first list, I still didn’t spot the answer (see, terrible at crosswords) so I combined the 26 possible first words with the 45 possible last words, creating a list of 1170 possible words, which I could then just run the hashing function against to reveal the right answer. This made me feel simultaneously cunning and stupid.

The completed crossword

Moving on…

Counting in binary

As per the instructions on the competition page, this then gives you a string of 6 letters which form the password for the zip file containing the next stage, however you don’t know the case of each letter, which effectively means there are 2^6 possible passwords for the zip file. By considering an uppercase character as 1 and a lowercase character as 0, this is basically the same as counting from 0 to 64 in binary. e.g. if the possible letters were ABCDEF, you would first try abcdef, then abcdeF, abcdEf, abcdEF etc.

I wrote a simple script to create the word list and then ran “unzip -P [word] snodwen-message.zip” against each word. This gets you to the next stage.

Oh God, not FORTRAN

I hadn’t seen a line of FORTRAN for 12 blissful years until this point. The not-so-subtle reference to current affairs was a message as follows:

Dear Reader,

This is Teddy Snodwen speaking.

You don’t know me, and I don’t know you, but we may be able to help each other.

I have some private data I’ve encrypted, but I’m having some travel problems right now, with the result that I’m concerned about getting stuck in no-man’s land at some airport, unable to leave, or proceed, or get at my data.

So I have prepared a series of files from which anyone who’d like to help can extract a secret code that can be read out over the phone, or even just held up to the glass in the transit area for me to copy down.

When you’re ready, you’ll need a PDF file from here:

http://nakedsecurity.sophos.com/bh2013-sophospuzzle-the-snodwen-file

And you’ll need the password, a nine-digit number you can calculate with this simple algorithm, which I’ve written in my favourite programming language, MR-ISP.

I know you won’t so much as think of cracking the code until I give the signal, since gentlefolk don’t read other gentlefolks’ email.

And with that, I remain,

Yours sincerely,

Teddy Snodwen (Mr)

MR-ISP, eh? Subtle.

With some minor tweeks, that just about runs in FORTRAN, however unfortunately what you will very quickly notice is that the code is dealing with stupendously large numbers and a stupendously large precision number. The code is basically split into two parts:

Part 1: Iterate 1 billion times over the equation for phi to have that value to a very high degree of accuracy.
Part 2: Select digits from the decimal places of phi, in orders of magnitude increasing by 10. i.e. 1st decimal place, 10th, 100th, 1000th etc.

This doesn’t work in pretty much any programming language unless you use a library with which you can specify arbitrary precision of your numbers. So there are two ways of solving this:

Find an arbitrary precision library for FORTRAN, get it to work with the above code, run the code

Some other way which means I don’t have to touch any more FORTRAN or start looking for arbitrary precision libraries in another language

Obviously I chose #2. I can’t have been the first person on the internet to calculate phi to a ludicrous degree of accuracy. Indeed not. Someone had also written a program called y-cruncher which calculates famous constants to arbitrary precision and outputs them to a text file. Much nicer. I could then just pick out the digits by hand and come up with the 9 digit password for the PDF. Next.

Onion Skins Of Encryption

The Unlocked PDF has the URL and password for the next stage – another zip file. This contains a single text file – “e.9” – which contains Lua code. It’s clear from the first few characters that the code is an array of data encrypted using an XOR at some point:

k=11179023 o=bit32.bxor t=string.char f=math.floor c={
6501666,4735189,10824306,11719312,15507616,3654640,12739110
...
} function xit(n) local x=o(11994318,n) for i=1,24 do x=x*2 if x>=2^24 then x=o(x,25578747) end end return x end
function tit(n) return t(n%256)..t(f(n/256)%256)..t(f(n/65536)%256) end
p='' for i=1,#c do p=p..tit(o(k,c[i])) k=xit(k) end load(p)()

The code takes a very large array of integers, then iterates over them, XORing each integer against a key, then splitting the result into 3 bytes, adding that to a string and then creating a new key for the next iteration by shifting the old key one binary place to the left and then XORing that against a fixed number. Once all the iterations have finished the resulting string is loaded as Lua code and ran.

The first thing you would do once getting to this stage is to just run the code as is. You quickly find that:

It takes ages

It produces garbage

Clearly you need to change a few things. First of all, you don’t need to iterate over the entire array to find if it’s worked or not. Iterate over just 10 values by switching “#c” for “10” and switching “load(p)()” for “print(p)”. The next thing you have to do is make a few assumptions. What’s broken? The algorithm looks OK, so maybe the initial key isn’t right. To find a key for an XOR encrypted text is fairly easy if you know what the unencrypted text is for a part of the cypher text larger or equal to they key. The key is only 3 bytes long (only 3 characters), so this shouldn’t be too hard. I hadn’t used Lua before but to me, it looked like the last line “load(p)()” was treating “p” like a function and running it. Maybe the first line contains a function definition? I tried XORing the first 3 bytes of the cypher text against “fun” as in “function” using this code added to the end of e.9, replacing the normal decrypt loop:

This provides the reverse function of “tit”, “untit” and attempts to start the decryption by setting the initial key as the result of XORing the first 3 bytes with “fun”. If after 10 iterations the resulting string doesn’t contain “function” then the loop exits. If it does, then the decryption has worked and it continues to decrypt the rest of the array.

This didn’t work. The decrypted text clearly didn’t start with “fun”. So what then? The clue is the filename, “e.9”. The “e” is probably for “encryption” and the “9”? How about the 9th iteration? Suppose the file decrypts another selection of encrypted text? If it used the same algorithm that would mean the file started with “k=” and then a number between 0 and 9. Only 10 possible combinations of clear text for the first three bytes! I then took the above code and put it in a loop:

This attempts to decrypt using the known plaintext of “k=0”, “k=1” up to “k=9”. It then lets the algorithm carry on for 10 iterations and then tests to see if “bit32” has come out in the resulting string, as we know that this is also at the start of the code. If it has, it carries on decrypting the code and then writes it to file “e.8”.

As suspected, e.8 is basically the same, but slightly smaller. I could then just replace the array in my code with e.8’s, run it again and find e.7. Repeating this, you eventually get down to “e.1” and it stops working, suggesting that “e.0” doesn’t have the same code in it. We need a new known plaintext. Assuming e.0 was still Lua code, I tried a few things, eventually finding that it starts with “print”.

Extreme checksum

This is the final message:

print[[
In stage 1, you solved a crossword, extracted 24 characters
from the completed grid, and used six of those characters to
form a password.
Now take the remaining 18 characters and write them down in
reverse alphabetic order (Z..A).
Then write a dollar sign.
In stage two, you calculated more than 400,000,000 decimal
places of a certain transcendental number, and used nine of
those digits to form a password.
Now write down the nine digits from decimal places
100,000,001 to 100,000,009 inclusive.
Then write a dollar sign.
Now write four alphabetic characters (A-Z) of your choosing.
You should have a string of 33 characters. Ensure all letters
are upper case.
Calculate the 512-bit SHA-3 hash of this string, print it as
hexadecimal characters and use the first 20 as your answer.
Submit your answer as detailed here:
http://nakedsecurity.sophos.com/bh2013-final
]]

Fun! Basically, “You got this far, now prove again that you didn’t cheat”. If you were diligent in the early stages, you will have saved all your answers as you went along and this won’t take long. I took a screenshot of my crossword, thankfully but failed to save my digits of phi, so I had to do that bit again.

What’s with the last 4 characters? The puzzle author will check your hash against a rainbow table1 of 26^4 possible combinations to check you have the right answer, and presumably to restrict sharing of the hash.

Thanks to Paul Ducklin for the puzzle. It had a really nice difficulty curve that drew me in with an easy crossword and before too long I was writing in two programming languages I usually don’t touch.

[1] From the author:

“Less of a rainbow table and more of a list…only 26^4 options (about 0.5M).”

, however I consider anything I wouldn’t want to write by hand a rainbow table. Shopping list, you can do manually. Shopping rainbow table would be very expensive.

And the upswing in popularity of git is not just in small projects, but in deploying to web sites too, so much so that it’s now becoming increasingly more likely to find a site that is inadvertently serving the .git folder to the outside world.

With a little work it should be possible to reconstruct a repository remotely (object packs being the only hard part).

Of course, this isn’t a new problem – SVN has the same issue – but the fact that it’s slightly harder to parse that git metadata means it’s a nice opportunity to finally take the plunge and write some Python and learn more about git.

What’s in the .git folder?

an index file which, like SVN is effectively a database of all files in the project against hashes of those files. Unlike SVN, it’s in memory map format, which is much more fiddly to write code for

The entire site source code, reference by an SHA1 hash, compressed using zlib deflate

Logs of git actions such as commit in logs/HEAD

A small config file which is a good starting point to test if a .git directory is present or whether the site is configured to return 200 OK for any URL requested as it returns a very predictable format

Analysing the .git folder

As a starting point, to avoid having to parse the index file myself, I forked gin – a neat little index file parser written in Python. This already produces a readable and JSON encoded version of the file which I can then use to iterate over the files. The script looks at:

File extensions. Count which file extensions are the most popular. This tells us what our site is written in, if it wasn’t already obvious

“Interesting” files. Archive format files, backups, SQL, “hidden” files (beginning with “.”) such as .htaccess and .htpassword, files which might have DB configurations in them etc

The logs/HEAD file for emails and credentials stored in URLs

This then dumps this information out into a simple flat text interesting.lst file, a report.md file, containing the results of the above scan, a copy of index in its native format, readable text, json, and flat text and copies of config and logs/HEAD

Being a greedy git

At this point, you already have quite a lot of powerful info however if the script has managed the above, it will probably also be able to download the source code for the site. Since we’ve already determined a lot of interesting files in interesting.lst, we can use that (edit it and add to it) to download all those files to our computer. In git, the compressed source for a file (in “loose” format) is stored in .git/objects/ and is referenced by the SHA1 hash of itself. We have that hash, so we can try and download files.

Passing the “-I” command line argument to greedy-git will make it attempt to download everything in interesting.lst to ./files/ in the current working directory. If you really want to go overboard, you can pass “-a“, which will get as much of the site source code that it knows about, and passing “-g [remote/file/path]” will download just that file, or matching file pattern.

You now have a target site’s juicy source code. This could contain database or other credentials, clues to vulnerabilities or “security by obscurity” style back doors that the developer thought no one would find. All this is now just a few grep commands away.

Do use responsibly, and let me know if there is a way of guessing the pack file name – that would be the keys to the kingdom…

I recently dug out an old USB 1.1 Digital TV Tuner – a Hauppauge WinTV Nova-T USB, which I think I bought in about 2003 and eventually gave up on due to poor reliability under Windows, the crappy TV signal quality in Coventry and the success of excellent torrent sites like UKNova. Well, I’ve moved house now, and with an increased TV signal strength also came the bad news that I appear to be on a limited bandwidth ADSL line. I envisaged a single evening of plugging in the tuner, installing MythTV under Ubuntu and having a neat DVR to use.

Sadly, this was not to be the case.

Getting the tuner recognised under linux wasn’t too hard. The required firmware was already present in Ubuntu’s repositories but I couldn’t get the thing to scan. MythTV couldn’t open or ID the card and “scan” resulted in nothing. I even tested with the intended packaged drivers under Windows and got about as far.

Eventually, I found “w_scan” which does the kind of full-frequency scan your TV would do and was able to produce a channels.conf file in the format that tzap uses. Success! On the tzap page of the MythTV wiki it shows how you can use tzap to tune the device and “cat” to just dump the MPEG stream to file. Excellent – time for a quick and dirty script!

I then knocked up a “record” script, which takes easy-to-read commands like “record Eastenders on BBC ONE for 30”, tunes the card and dumps the MPEG stream to a sensible location. Combine that with some cron and I’ve got a hacky little DVR. XBMC can do the front end stuff.

I now have to get used to the idea of knowing I want to watch something before it airs, like we used to do in the 90s.

First there was FireSheep. It allows anyone to hijack HTTP session cookies for a number of sites for anyone using them on the same open access point as you. Now, a predictable counter point for that is that someone would come up with “FireShepherd” to protect this poor flock. However, FireShepherd is no where near as fun as FireSheep – all it does is try and crash FireSheep with fake data and hope for the best, meanwhile your session info is still being transmitted in the clear.

Ideas for FireShepherd to be more useful/fun:

Have it force SSL connections on all the same sites that FireSheep snoops on, making session hijacking impossible. Plugins like Force-TLS do this.

Have it create bogus logins to sites where the user’s profile pic has been set as goatse, tubgirl etc. When the FireSheep user grabs that user’s session data they will have those lovely pics appear in their stolen sessions list.

(getting crazy here) have it perform a man-in-the-middle attack on the wireless network, replacing the network’s router as the default gateway or DNS server. You can then point people to fake versions of captured websites and feed the FireSheep user whatever you want. Oops, there’s goatse again! Oh, what’s that you just went to? A malware site? Careless FireSheep user!

Anyway, there’re some ideas. As Steve Gibson pointed out in the last Security Now, simply switching a network to WPA is enough to protect all the users from this attack. If you’re running a Cafe and want to provide free wifi you can make the network password as public as you want – make a poster and stick it above the till. It is unencrypted wifi, not wifi itself that allows user sessions to be hijacked like this.

As I’m sure you all noticed last week, the latest fun leaked data from a polical party came from the BNP who somehow had their entire membership list leaked onto the internet. For people like myself this presented two fun opportunities:

To do a little bit of geographical and statistical analysis on some odd data

To laugh at a bunch of hate-filled racists

There were quite a few nuggets of statistical analysis in the first couple of days: A proximity checker to see which of your neighbours members, the obligatory google maps mashups (since, sensibly taken down), a sort of heat map and the Grauniad did an excellent map broken into electoral wards. They were all pretty good, but they still rather suffered from the problem that you see “hot spots” in areas which are naturally population nodes. There was no accounting for population density.

Anyway, in a spare moment I took a copy of the database, cleaned up the postcode information a bit, ran it through a geocoder to get lat and long data and then ran that through a lookup for population density and then grouped the data by postcode area. What I now have is a count of each person in a postcode area, divided by the population density – this should then give a population normalised rank of how hate-filled post code areas are. Anyway, here’s the Top 40, Top Of The Pops style:

They’ve clearly gotten a new marketing person over at Berocca in the past year. Having not really touched TV ads until now, they launched a campaign which is clearly targetted at the blogosphere which featured a slighty embarrassing rip-off of OK Go‘s “Here It Goes Again” and now they’re buying blog posts by launching their “Blogger Relief” campaign. You can register your blog and if they like it they’ll send you a box of free stress relieving gizmos.

I don’t need to be paid off to thoroughly recommend Berocca – I’ve been addicted to the stuff for years and it’s saved my life countless times, however the odd cheap bribe never hurt anyone.

If that still doesn’t convince you, the prospect of luminescent orange pee after a glass always brightens up a dull day (and freaks out anyone else in the public toilet).

I had a very nice email from Angela at Wikia this morning, inviting me to move the Beebhack Wiki over to their hosting. I think the only reason Beebhack wasn’t over there in the first place was potential hassle around getting a free wiki approved by their staff. Since they’d been kind enough to email me over there, this was no longer a problem.

So, a good time to take advantage of a better implementation of MediaWiki than we had at BluWiki and hopefully some better uptime. Angela even imported all our existing wiki data for us.

The beeb added a little update to the iPlayer again today, clearly as part of their (admirable) attempts at getting iPlayer working on exotic devices iPlayer is now Wii optimised! How cool! I’ve not tested it out, but this is the first “official” iPlayer version which is actually designed to display TV shows on a TV. We are living in the future!

I’ve written a few technical notes over on the Wiki, but basically they’re using the User-Agent string to serve a Flash 7 compatible stream.

Speaking of User-Agents, I’m hearing that the iPhone version of iPlayer has been tightening down on what User-Agent string you can get away with when you pretend to be an iPhone. No more “iPhone, LOL” strings I’m afraid 😉

In the first 24 hrs it got 1500 page requests and it’s not looking to slow down just yet. I would have hosted it here at Strawp.net but I wanted this to be more community owned than something I would run.

The downside of course is that I really don’t have any detailed information on where any of those hits are coming from…

A few weeks ago I got a bluetooth GPS module for my iPaq, just to play around with. Since Wififofum collects GPS data if it’s available, I’ve been recording wireless access point data as I’ve been walking about the town, commuting to work or driving.

The data I’ve gotten so far (about 600 access points) isn’t that useful on its own, but what’s really interesting is slicing the data in various ways and seeing what you come up with. To do this I built a new site: wifi.strawp.net into which I can upload the log files from wififofum. For a day or so I had the front page of the site plot location data of access points into Google Maps, searchable by SSID, manufacturer, channel etc, however I was advised by friends that doing so was probably a really bad idea, so this information is now on a login-only basis.

The fun part, which is still publicly available is the stats page. If you’ve got a friend that you’re trying to convince they need to secure their wireless network, link them to that page. You can currently see the most popular manufacturers, the most commonly used SSID and – my favourite – the number of access points that have their default SSID and appear to have no encryption set. This is currently at just over one in six (16.9%), which is quite frankly frightening. You probably won’t be surprised to learn that the best place to look if you want to stumble across one of these access points is a suburban area where if Coventry is anything to go by, you’re likely to find an insecure access point on any street you care to walk down.